malwarewikiaorg-20200223-history
W32/Cobi
W32/Cobi is a dangerous trojan discovered on September 2017 by Grzegorz Zwinda. The Author of this trojan is unknown, though it is speculated that it was made by "Theodor Nice/Teodor Fajny" (his deviantart is here https://www.deviantart.com/kupaesesmana). This trojan is buggy and may cause unexpected effects. Behavior When the trojan is executed, at first it attempts to write certain registry keys into the computer and forces to disable most popular antiviruses (but it fails to disable AVG and Norton). Browsers except Mozilla Firefox will redirect to "www.cobi.pl" which is a site of the polish toy-maker and brick-making company COBI. It will also slow down the computer and track keystrokes of the victim's PC. If the user attempts to name PDF, picture (JPG, GIF, PNG, TIFF, TGA), music (WAV, MP3) or video (MP4, AVI) file "cobi", it will be instantly removed and it may show a message box consisting of random polish words or insults torwards the user such as "MMY WAS!", "KOBIKOWSKI ZBIL DZIECKO NAGRANIE!" and "WYPIERDALAJ COBIMANIAKU!". It will check for the executable named "COBI" on the system. If it exists, user's My Computer icon changes into a face of Jacques Houdek . It will also open Internet Explorer and immediately close it, flooding the desktop with message boxes consisting of "COBI MONSTER TRUX" and "COBI MAŁA ARMIA NIEZDROWY!" It will also attempt to hook itself to autorun.inf. Changes the name of the user to "pierdolony cobimaniac". Payloads The first payload activates on the 3rd of May (May 3rd Constitution Day in Poland) or 11th of November (Polish and Angola's Independence day). If a minute passes after the bootup, the desktop will be filled with faces of COBI's minifigures from Small Army, spinning around. Trojan also plays a pitch shifted, sped up version of Blank & Jones - After Love (Ibiza Mix). This effect will happen endlessly, even after rebooting. While the payload is active, if one would access www.cobi.pl, the browser will either shut itself or drop a pornographic, Rule 34 picture of Nino from the Fire Emblem series of games. In this Payload if one would start an executable for Command & Conquer Generals and it's expansion, Zero Hour, the COBI faces will be replaced with the mugshots of the Global Liberation Army (one of the three factions in the game) Generals. It will also popup messages such as "TO PIERDOLONY SCUD LAUNCHER!" every time the game is launched. It also makes strange changes to the game itself, such as naming the Player "roastman80", changing Toxin Tractor unit's audio to a distorted version of Real Workin' Buddies Mr Dusty's voice from one of the TV ads for the toy, or randomly crashing if one would play General Malcolm Granger's "General Challenge" map. Second payload activates on random dates, but there's a 25% chance it will happen on 1st of September. Now accessing cobi.pl will show a Credits message: : "W32/Cobi : Stworzony przez MIMMI MAMMA i TEODORA FAJNEGO! : ROAST KRÓLEWSKI! : Podziękowania dla: PIKSTER, Patryk Sześciak, Ignacy Dmitrczuk i Traktor Tom" If the message box is closed, the background will change to a random COBI minifigure's face from the trojan. It will attempt to overwrite MBR if the user will try to remove its registry keys. W32/Cobi will also redirect the user to random sites, such as Fire Emblem Wikia's Special:Random page, YouTube channels "Life of Boris ", "Zabawy Euzebiusza", "ClockiKlocki44" and "Kobikowski ", Wikipedia's page about the Polish city Darłowo , OVERKILL Software's official website , Steam Marketplace, Team Fortress Wiki's page about "The Texas Tech-hand" item set , many random YouTube videos (mainly in polish) and more. Third and last payload happens if both payloads were activated before or if the user has reached a certain number of attempted enters on the cobi.pl website. It will make attempt to remove every possible file on users PC, block administrator privelleges, trash the whole desktop with message boxes only consisting of the word "RZEŚKO!", play "Django Reinhart - Vendredi 13" on loop and overwrite the MBR. User's image will also become blank, and attempting to close the system will activate the first payloads spinning COBI faces. The overwitten MBR displays a message: "SUPER MIASTO DARŁOWO! NISZCZYCIELSKI ROAST!" You can disable the COBI trojan before it activates by killing its main process "ROAST.exe", although it has a chance to disguise as svchost.exe. It can also drop itself in SysWOW64 or System32 as "zniszczkobikowski.exe", "powtaniec.exe", "COBINISZCZYCIEL.exe", "ukle.exe" and "FRRRRRYTULESMACZNE.exe". Trivia *It's inspired by Imć Onufry Srakachujowa, a person that makes hate videos against the polish brick-making company COBI and LEGO ripoffs. *This trojan has an unused and unfinished code that would enable it to spam messages on Discord and Skype with "MIMMI MAMMA! LEGO AND COBI!" by Direct Messsage (Skype, Discord) or to randomly selected servers (Discord) *It's incredibly difficult to find the sample of the Trojan as it was only sent to a few people, including to a group called "Armia Hanibala". *Sometimes, when user attempts to click on anything, a random voiceover of the GLA Worker unit from the game mentioned above will play. Category:Trojan Category:Win32 Category:Win32 trojan Category:Microsoft Windows